SEC524 Computer and Network Forensics Lectures 08-10 PDF
Document Details
Uploaded by PoeticChalcedony6828
King Fahd University of Petroleum and Minerals
Tags
Related
- Network Forensics PDF
- SEC524 Computer and Network Forensics Lectures 01 & 02 PDF
- SEC524 Computer and Network Forensics Lectures 03 and 04 PDF
- King Fahd University of Petroleum & Minerals SEC524 Computer and Network Forensics Lectures 11 and 12 PDF
- Chapter 1: Introduction to Forensics (OCR PDF)
- GIU Digital Forensics Lecture 9 PDF
Summary
These lecture notes cover computer and network forensics tools, including host-based and network forensics tools, host-based evidence, network evidence and packet capturing. They are from King Fahd University of Petroleum & Minerals.
Full Transcript
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 08 – 10 Computer and Network Forensics Tools These slides are based on: Guide to Comput...
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 08 – 10 Computer and Network Forensics Tools These slides are based on: Guide to Computer Forensics and Investigations: Processing Digital Evidence, Bill Nelson et al. (Ch. 6) Applied Incident Response, Steve Anson (Part II) Digital Forensics and Incident Response, Gerard Johansen (Section 2) ENISA: Introduction to Network Forensics (Ch. 1) Outline Introduction to Forensics Tools Overview of Host-based Evidence Host-based Forensics Tools Overview of Network Evidence Network Forensics Tools 2 Introduction to Forensics Tools Can be either hardware-based or software-based Hardware-based forensics tools: Write Blocker, Hard-drive Duplicator Two major software-based forensics tools categories: 1. Host-based forensics tools Meant as tools to gather and analyze log data that are generated by applications and operating system to notify developers and system administrators of events It is typically not possible to increase the amount of information being logged beyond that what was designed into the system 2. Network forensics tools In successful attacks (i.e., attacker manipulates a host such that it is not logging any useful info, or logging false info), network data may be only evidence left A lawful way to log network traffic efficiently must be determined During incident response, a full capture of suspicious traffic is needed and there should be provisions/tools so that on-demand capturing of traffic can be done 3 Overview of Host-based Evidence Host systems represent a possible initial target so that someone can gain a foothold in the network or a pivot point for additional attacks Investigators should be prepared to examine these systems. when an incident occurs Modern OS such as Microsoft Windows create a variety of evidentiary artifacts during: Execution of an application When changes to files are made When user accounts are added Amount of data that’s available to an investigator is increasing as storage and memory continues to expand 4 Overview of Host-based Evidence (Cntd) Data that will be lost if the system is powered down is referred to as volatile data Can be data in CPU, routing table, or ARP cache Most critical volatile data is the current system memory When investigating incidents such as malware infections, the memory in a live system is of critical importance Malware leaves several key pieces of evidence within the memory including registry data, command history, and network connections Non-volatile data is stored on a hard drive Includes Master File Table (MFT) entries, registry information, and the actual files on the hard drive Malware can still leave valuable evidence in non-volatile memory Different levels of volatility of digital evidence is shown next and should be considered when deciding acquisition order 5 Overview of Host-based Evidence (Cntd) 6 Host-based Forensics Tools Two types of host-based forensics tools are available: Commercial Free/open-source Common tools: EnCase (commercial), FTK (commercial), WinPmem, Ram Capturer,... For more tools, visit: https://www.securitywizardry.com/products/forensic- solutions 7 Host-based Forensics Tools (Cntd) EnCase Client – Server Architecture Agent for Windows, Mac, and Linux Agent residing at the client waits for “commands” from server Public-key encryption is used for all communication Capabilities Take a quick “snapshot” of the running system Write blocking Full memory acquisition Can later be viewed using a tool like Mandiant Redline or Volatility Preview of hard drives Full drive capture or you can select only the files of interest Create an Evidence File (E01) that can later be mounted as a drive Search for files across multiple clients, and keyword search capability Locating hidden drives, partitions, and files Create a full hash of the drive Collect hashes for all files 8 Host-based Forensics Tools (Cntd) EnCase: Creation of Evidence File 9 Host-based Forensics Tools (Cntd) Forensic Toolkit (FTK) Capabilities Create images of hard drives (using FTK Imager) Analyze the evidence (using hashing, Known File Filter (KFF) database, and searching) Scan slack space for file fragments Inspect emails Identify steganography Crack passwords 10 Host-based Forensics Tools (Cntd) FTK (Cntd) 11 Host-based Forensics Tools (Cntd) WinPmem A memory acquisition tool provided by the same organization that created the rekall memory analysis tool Available for Linux, macOS, and Windows systems We will focus on WinPmem for Windows systems Default output for the WinPmem tool is the Advanced Forensic Framework 4 (AFF4) file format To configure WinPmem to acquire the memory of the system type: D:\winpmem-2.1.exe --format raw -o e:\Laptop1 12 Host-based Forensics Tools (Cntd) Ram Capturer A free memory acquisition tool provided by the software company Belkasoft, and it is GUI based After launching it and selecting the path of the folder where the memory image should be placed, click on the “Capture!” button 13 Overview of Network Evidence Network logs provide investigators with good info, and are provided by a range of network devices manufacturers Network devices (switches, routers,...) have their own internal logs that maintain data on who accessed the device and made changes Switches: Core and Edge switches with 2 evidence points: 1. Content Addressable Memory (CAM) table Maps the physical ports on the switch to the Network Interface Card (NIC) of each device connected to the switch Aids in the identification of possible rogue devices such as wireless access points or systems connected to the internal network by an adversary 2. Network traffic capture 14 Overview of Network Evidence (Cntd) Routers: Key pieces of evidentiary information: Routing table holds info mapping physical ports to various networks Maintain logs on allowed traffic and data flows NetFlow data Provides data on IP addresses, ports, and protocols of network traffic Utilized to determine the flow of traffic from various segments of the network Firewalls: Contain several features such as IDS/IPS, web filtering, data loss prevention, detailed logs about traffic Acts as a detection mechanism of potential incidents Network IDS/IPS: Utilize a combination of network monitoring and rulesets to determine whether there is any malicious activity Provide excellent logs for incident responders to locate specific evidence on malicious activity 15 Overview of Network Evidence (Cntd) Web proxy servers: Provide enterprise-wide picture of web traffic that is originated by or destined for internal hosts Additional features provide alerts to connections to known malware Command & Control (C2) servers, and provide logs that can identify malicious traffic source or C2 server controlling a compromised host Domain controllers or authentication servers: Provide logins, credential manipulation, other credential uses details DHCP server: Maintains logs on the assignment of IP addresses mapped to the MAC address of the host’s NIC Application servers: Each server can provide logs specific to the type of application Pay attention to logs pertaining to remote connections 16 Network Forensics Tools Two types of network forensics tools are available: Commercial Free/open-source Commercial tools: NetworkMiner, NetIntercept, NetDetector, NextGen,... Free/open-source tools: NetFlow, Argus, tcpdump, WinPcap, RawCap, dumpcap/Wireshark,... We will only focus on the free/open-source tools For more tools, visit: https://www.securitywizardry.com/products/forensic- solutions 17 Network Forensics Tools (Cntd) NetFlow First designed by Cisco Systems 1996 Feature found in network devices such as switches and routers Allows network administrators to monitor traffic within the network Both internal and external traffic Not strictly a security tool, but it does provide a good deal of data to incident responders in the event of an incident NetFlow is sent by network devices via the UDP protocol to a central collection point, often called the NetFlow Collector 18 Network Forensics Tools (Cntd) NetFlow (Cntd) A flow is defined by seven unique keys: 1. Source IP address 2. Destination IP address 3. Source port 4. Destination port 5. Layer 3 protocol type 6. TOS byte (IPv4), DSCP (IPv6) 7. Input logical interface (SNMP ifIndex) A typical output of a NetFlow command line tool (e.g., nfdump): Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2010-09-01 00:00:00.459 0.000 UDP 127.0.0.1:24920 -> 192.168.0.1:22126 1 46 1 2010-09-01 00:00:00.363 0.000 UDP 192.168.0.1:22126 -> 127.0.0.1:24920 1 80 1 19 Network Forensics Tools (Cntd) NetFlow (Cntd) Example of potential DoS attack on router ( 660 pkt/s = 0.2112 Mbps) Typical DoS attacks have the same NetFlow flow entries: Input Interface (SrcIf) Destination IP (DstIf) 1 Packet per flow (Pkts) Bytes per packet (B/Pk) 20 Source: Cisco’s “NetFlow for Accounting, Analysis and Attack” Network Forensics Tools (Cntd) Argus (Audit Record Generation and Utilization System) One of the first implementations of a network flow monitoring system, and is an ongoing open source network flow monitor project Assists in net. operations, performance, and security management Consists of two packages: Argus: contains Argus monitor (captures & combines packets into flow records) Argus-clients: contains numerous clients to analyze the flow records such as ra (read argus), rapolicy, ragraph, ratop,... Sample output from ratop for a hosted website > ratop -r argus.out - remote 'port http' 2018/07/17.19:21:31 CEST StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State 00:15:36.233618 e tcp 78.186.188.12.52903 -> 85.114.128.143.80 4 228 RST 09:41:32.626411 e tcp 179.228.18.161.33058 -> 85.114.128.143.80 4 228 RST 18:17:01.280555 e tcp 93.174.93.218.58117 -> 85.114.128.143.80 3 174 RST 18:06:23.979436 e tcp 93.174.93.218.43854 -> 85.114.128.143.80 3 174 RST 16:20:22.553271 e tcp 93.174.93.218.43915 -> 85.114.128.143.80 3 174 RST 18:44:35.080129 e tcp 216.244.65.210.59901 -> 85.114.128.143.80 3 174 RST 21:47:48.993661 e tcp 109.248.9.10.42952 -> 85.114.128.143.80 3 174 RST [..] 21 ProcessQueue 729 DisplayQueue 729 TotalRecords 860 Rate 19.6161 rps Status Idle Network Forensics Tools (Cntd) Packet Capturing Critical to having a full understanding of an incident For example, being able to identify potential C2 IP address traffic may provide further information about the type of malware that might have infected a host Common tools: tcpdump, WinPcap, RawCap, dumpcap/Wireshark dumpcap is part of the Wireshark package tcpdump is often included with Linux distributions and is found on many network devices WinPcap and RawCap are available tools for Windows based systems but are not native tools or Windows WinPcap needs to be installed on the system before usage; forensics perspective drawback as any change to the system must be thoroughly documented RawCap can be run from a USB device attached to the system (i.e., does not need to be installed on the system before usage) Wireshark is a Unix or Windows packet capture and analysis tool, is a GUI- based tool, and has several not only packet capture, but also analysis features Wireshark can be run on the system itself or on a USB drive 22 Network Forensics Tools (Cntd) Packet Capturing (Cntd) tcpdump: To perform a packet capture, the following can be used: 1. To access the basic help menu, type the following into a command prompt: dfir@ubuntu:~$ tcpdump –h The following lists all the interfaces that tcpdump can capture traffic on: dfir@ubuntu:~$ tcpdump –D It shows ens33 (Ethernet) and lo (loopback) are available for capturing traffic 23 Network Forensics Tools (Cntd) Packet Capturing (Cntd) tcpdump: 2. Type the following to configure a basic capture on ens33 with normal verbosity dfir@ubuntu:~$ sudo tcpdump -i ens33 -v The command switch -vvv can be used for a more detailed look at the packets Individual packet information provided by this command is useless to an analyst due to the speed with which the individual packets appear on the screen Save output to a file & analyze it with a packet analysis tool (e.g., Wireshark) 24 Network Forensics Tools (Cntd) Packet Capturing (Cntd) tcpdump: 3. To output the packet capture to a file, the following command is used: dfir@ubuntu:~$ sudo tcpdump -i ens33 -vvv -w ping_capture Command tells tcpdump to capture network traffic & save it to ping_capture Unlike the previous capture, there is no traffic indicated on the screen To stop the capture, type Ctrl + C (total of 4,333 packets were recorded) The file can then be opened via Wireshark for analysis 25 Network Forensics Tools (Cntd) Packet Capturing (Cntd) tcpdump: Can also be configured to focus the capture on specific source or destination IP addresses and ports For example, if an investigator needs to collect packets leaving a specific host (e.g., 192.168.10.54), the following command produces the desired results: dfir@ubuntu:~$ sudo tcpdump -i ens33 src host 192.168.10.54 Packets going to a destination such as a known C2 server (e.g., 162.4.5.23) can be separated out from the background network traffic with the following: dfir@ubuntu:~$ sudo tcpdump -i ens33 dst host 162.4.5.23 26 Network Forensics Tools (Cntd) Packet Capturing (Cntd) RawCap: To perform a packet capture, the following can be used: 1. Start the Windows Command Prompt as an administrator 2. Navigate to the folder containing RawCap.exe. For a list of options, type the following which also produces a list of interfaces: D:\>RawCap.exe -help 27 Network Forensics Tools (Cntd) Packet Capturing (Cntd) RawCap: 3. Use the following to start a packet capture on wireless interface number 5 and save to filename RawCap.pcap (to stop the capture, type Ctrl + C): D:\>RawCap.exe 5 RawCap.pcap The file can then be opened via Wireshark for analysis 28 Network Forensics Tools (Cntd) Packet Capturing (Cntd) Wireshark: To perform a packet capture, use the following: 1. Select an interface that Wireshark will capture traffic on, and double-click on it to start a packet capture which will be displayed immediately on the screen 2. To stop the capture, hit the red box in the upper-left corner of the pane, and the file can then be saved for further analysis Another tool included with Wireshark is mergecap which allows you to combine multiple packet capture files from Wireshark, tcpdump, or RawCap in a single file dfir@ubuntu:~$mergecap -w switches.pcap sw1.pcap sw2.pcap sw3.pcap Helps examine activities across multiple network paths 29